Thursday, September 19, 2013

Upgrade to Asterisk 11 and fail2ban 0.8.8 to protect Asterisk like never before, here’s why and how.

Asterisk 11 introduced the security log event channel which basically throws all security (success, failure, etc) which the past full log couldn’t show. Scripts attacks like sipvicious that does scanning on your system or even tries to bombard your system with auth requests would trigger a super uber cool tool like fail2ban because the source IP is not show, such as the log entries like below;

Now, notice the similar attack with security logging channel enabled, shows the IP of the attacker highlighted in bold, as above. Now, there’s enough information for fail2ban to do “something” like ban his ass for 2000 years :)

Enough to convince you to use Asterisk 11? For me it is sufficient to put 11 as our main distribution.

If you’re convinced, and would like to use this, you would need the following

1) Asterisk 11 (with or without FreePBX)

2) Enable security channel

3) Install/use latest fail2ban or version 0.8.8

4) Setup the appropriate jail.conf and patterns

5) Auto start fail2ban after asterisk starts (important!)

In this guide i will not show you how to setup or upgrade to Asterisk 11, but there’s a blog posting here in my blog which you can already find such steps. I will start from no.2 onwards. Do note, this is designed for a Debian system, but you can use the settings herein of course to match your own operating system. To find out requirements for fail2ban, visit www.fail2ban.org, basically for this below, have iptables and python v 2.4 or higher

Enable security channel logs

FreePBX users, the “Log File Setting” module does not support security as its option, so the only way is to edit the file /etc/asterisk/logger_logfiles_custom.conf. By default, the “messages” channel is also not created in FreePBX, so now when you want to take advantage of fail2ban enable it. Add the following lines for FreePBX usersmessages => security,notice,warning,error

If you’re not using freepbx, simply add that above line in logger.conf under [logfiles] section

Reload the logger#asterisk –rx “logger reload”

Now, check if the messages log is populated, in my installation log files are in /var/log/asterisk/#tail –f /var/log/asterisk/messages

If you see entries with “SECURITY” as the event type, then it works great, proceed to next step

Install/use/upgrade/configure/autostart to latest fail2ban

The apt repo for fail2ban is only at version 0.6.X which does not have some cool features like single host unbanning. Install fail2ban with dpkg first, then do the source file way of upgrading

Now, lets start editing the important files, be sure to copy paste correctly

#cd /etc/fail2ban

#cp jail.conf jail.original.conf

#nano jail.confBe sure to edit the dest email, this action triggers iptables-apports meaning ban the source address from all ports for 259200 seconds after 6 attempts. Modify as you wish. An email with WHOIS information will be sent to the email address specified. Notice we are checking the /var/log/asterisk/messages as defined above for the event triggers as seen in item 15 asterisk.conf below.

Inside jail.conf, there’s a option called ignoreip = 127.0.0.1, you can add more IPs which you want to whitelist there. "ignoreip" can be an IP address, a CIDR mask or a DNS host separated by a space for each entry.

Now, we edit the filter, this is where we take advantage of the security log, see the final few entries which has the option for security log based log entries as well.

#cd /etc/fail2ban/filter.d/

#cp asterisk.conf asterisk.original.conf

#nano asterisk.confCopy and paste exactly like shown below, remember, everything here must be in a single line even if it doesn’t show it that way in the blog. Change where you see fit, do note, if you don’t know what you’re doing, don’t change it.

##start##

# Fail2Ban configuration file# Author: Xavier Devlamynck[INCLUDES]

# Read common prefixes. If any customizations available -- read them from# common.localbefore = common.conf